GDPR Compliance Checklist for SaaS Founders in 2026

Why GDPR still catches founders off guard

GDPR has been in force since May 2018, yet the ICO continues to issue fines to businesses that should know better — including startups and SaaS companies handling relatively small volumes of personal data. The most common reason is not wilful negligence: it is founders who assume that a copied privacy policy from another website is enough.

It isn't. Here is a practical checklist of what you actually need.

1. Identify your lawful basis for every processing activity

You must have a lawful basis for each type of personal data you process. The six bases are: consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Most SaaS companies rely on contract performance (to deliver the service) and legitimate interests (for analytics, security, and marketing to existing customers).

Document each processing activity in a Record of Processing Activities (RoPA). This does not need to be complex — a spreadsheet works fine.

2. Update your privacy policy to cover all six GDPR requirements

Your privacy policy must state: who you are, what data you collect, why you collect it, who you share it with, how long you keep it, and what rights users have. A generic template copied from another website will almost certainly be missing one or more of these.

3. Appoint a Data Protection Officer if required

Most SaaS companies are not required to appoint a DPO unless they process data on a large scale as a core activity, or process special category data (health, biometrics, etc.). If in doubt, consult a privacy lawyer.

4. Get your data processor agreements in order

Every third-party service you pass personal data to — your hosting provider, CRM, email platform, payment processor — requires a Data Processing Agreement (DPA). Most major providers (AWS, Google, Stripe, Mailchimp) offer standard DPAs you can accept in their settings. Check that you have done so.

5. Handle data subject requests within 30 days

Under GDPR, users can request access to their data, request deletion, and request portability. You must respond within 30 calendar days. Build a process for this before you receive a request, not after.

6. Ensure cross-border transfer mechanisms are in place

If you transfer personal data outside the UK or EEA, you need a legal mechanism such as Standard Contractual Clauses (SCCs) or adequacy decisions. The UK and EU have mutual adequacy decisions for most purposes. Transfers to the US require SCCs or the UK-US Data Bridge.

7. Review your consent banners

If you use non-essential cookies (analytics, advertising), you need genuine opt-in consent — pre-ticked boxes and "by continuing to use this site" language are not valid. Consent must be freely given, specific, informed, and unambiguous.

What actually triggers an ICO investigation

The vast majority of ICO investigations are triggered by complaints from individuals, not proactive audits. The most common complaints are: inability to get data deleted, receiving marketing after unsubscribing, and data breaches that were not notified to the ICO within 72 hours. Fix these three things and you reduce your risk significantly.